From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Mark Salyzyn <salyzyn@android.com>
Cc: linux-kernel@vger.kernel.org, kernel-team@android.com,
linux-security-module@vger.kernel.org, stable@vger.kernel.org,
Miklos Szeredi <miklos@szeredi.hu>,
linux-unionfs@vger.kernel.org
Subject: Re: [PATCH] ovl: filter of trusted xattr results in audit
Date: Mon, 7 Oct 2019 18:48:28 +0200 [thread overview]
Message-ID: <20191007164828.GB1090238@kroah.com> (raw)
In-Reply-To: <7c610f92-5e1f-32ef-0a60-ed47ea999fe3@android.com>
On Mon, Oct 07, 2019 at 09:42:08AM -0700, Mark Salyzyn wrote:
>
> <sigh>
>
> Now what is the playbook, we have three options in order of preference:
>
> 1) #ifdef MODULE use capable() to preserve API, add a short comment about
> the side effects if overlayfs is used as a module.
>
> 2) export has_capability_nodaudit (proc and oom_kill use it, and are both
> built-in only), but affect the 3.18 API at near EOL. AFAIK no one wants
> that?
I'll just do this. 3.18 is EOL, this is only being done for a
distro-specific tree (i.e. AOSP).
> 3) Do nothing more. Make this a distro concern only. Leave this posted as a
> back-port for the record, but never merged, for those that are _interested_
> and declare 3.18 stable as noisy for sepolicy and overlayfs under some usage
> patterns with few user space mitigation unless they explicitly take this
> back-port into their tree (eg: android common kernel) if used built-in. This
> way, in 3.18.y at least the module and built-in version behave the _same_ in
> stable.
I'll just add the export to the patch and check this into AOSP, thanks!
greg k-h
prev parent reply other threads:[~2019-10-07 16:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-07 16:09 [PATCH] ovl: filter of trusted xattr results in audit Mark Salyzyn
2019-10-07 16:16 ` Greg Kroah-Hartman
2019-10-07 16:17 ` Greg Kroah-Hartman
2019-10-07 16:40 ` Greg Kroah-Hartman
2019-10-07 16:43 ` Mark Salyzyn
2019-10-07 16:42 ` Mark Salyzyn
2019-10-07 16:48 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191007164828.GB1090238@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=salyzyn@android.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.